We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
SystemUI As EvilPiP: The Hijacking Attacks on Modern Mobile Devices
Learn how attackers exploit Android's Picture-in-Picture feature to hijack foreground activities and bypass security restrictions, compromising system integrity.
-
Activity Hijack Attack (HA) is a technique where malware injects malicious content into trusted applications by seizing foreground control
-
Three key requirements for successful HA attacks:
- Ability to start activity from background
- Ability to detect runtime state from background
- Ability to run persistently in background
-
Google implemented several security policies to prevent HA:
- Runtime state leaking restrictions
- Background execution limitations
- Permission Access Level (PAL) restrictions
-
Picture-in-Picture (PiP) vulnerabilities can be exploited to bypass restrictions:
- Abnormal PiP window sizing can be used to create invisible windows
- System considers PiP windows as visible even when minimized
- PiP windows can maintain high priority status
-
Key bypass techniques discovered:
- Using accessibility services and system services to gain elevated privileges
- Exploiting account manager bindings
- Manipulating out-of-memory ADJ scores
- Creating system window types with higher z-index values
-
Vulnerable applications targeted through:
- Background service binding
- Activity launch chain manipulation
- Window container transition objects
- Surface control transitions
-
Attack is particularly effective because:
- Requires no dangerous runtime permissions
- Can be undetectable to users
- Works across multiple Android versions
- Can target sensitive applications like banking apps
-
Multiple CVEs discovered related to PiP and SystemUI vulnerabilities across Android versions 32-34